[QUESTION] slf4j security vulnerability depenency on log4j v1.2.17
brandontyler opened this issue · 15 comments
We are using the latest amazon-kinesis-video-streams-parser-library (v 1.2.1) to grab an audio stream and save the audio to S3. However, there are several security vulnerabilities in this aws owned library (jar) file. One such depenency is the log4j v1.2.17 vulnerability. It is used by the slf4j dependency.
Is there a plan to update this library?
com.amazonaws amazon-kinesis-video-streams-parser-library 1.2.1Agreed I would also appreciate an update on this. Here is an overview of vulnerable dependencies (either direct or indirect):
Eg. the log4j issue is coming through:
com.amazonaws:amazon-kinesis-video-streams-parser-library@1.2.1 › org.slf4j:slf4j-log4j12@1.7.33 › log4j:log4j@1.2.17
Our solution has for now been to fork the repo, and do the upgrades ourselves
Thank you for the reply! I'm curious how you are "doing the upgrade ourselves"
Hi, thank you bringing this to our notice. This is being worked on and the thread will be updated once it is available on maven for use.
Thank you for resolving this!
and what about the rest of the vulnerabilities:
#1 io.netty:netty-codec SNYK-JAVA-IONETTY-564897
#2 com.google.protobuf:protobuf-java SNYK-JAVA-COMGOOGLEPROTOBUF-2331703
#3 io.netty:netty-codec-http SNYK-JAVA-IONETTY-543490
#4 io.netty:netty-handler SNYK-JAVA-IONETTY-1082235
#5 io.netty:netty-transport SNYK-JAVA-IONETTY-1082236
#6 io.netty:netty-common SNYK-JAVA-IONETTY-1082234
#7 com.google.guava:guava SNYK-JAVA-COMGOOGLEGUAVA-32236
#8 commons-io:commons-io SNYK-JAVA-COMMONSIO-1277109
Can you point me to the packages you are talking about in the pom.xml file? From what I see, we do not directly depend on these packages
Looking at a dependency report I found these dependencies in com.amazonaws:amazon-kinesis-video-streams-parser-library:
"com.amazonaws:aws-java-sdk-kinesisvideo:jar:1.11.487:compile" -> "io.netty:netty-codec-http:jar:4.1.17.Final:compile" ;
"com.amazonaws:aws-java-sdk-kinesisvideo:jar:1.11.487:compile" -> "io.netty:netty-handler:jar:4.1.17.Final:compile" ;
"com.amazonaws:amazon-kinesis-client:jar:1.14.7:compile" -> "com.google.protobuf:protobuf-java:jar:3.19.1:compile" ;
"com.amazonaws:amazon-kinesis-video-streams-producer-sdk-java:jar:1.8.0:compile" -> "com.google.guava:guava:jar:21.0:compile" ;
"com.amazonaws:amazon-kinesis-video-streams-producer-sdk-java:jar:1.8.0:compile" -> "commons-io:commons-io:jar:2.4:compile" ;
Any update on these vulnerabilities?
Hi @brandontyler, we are looking into it. We will update the issue once we have something.
Hi @brandontyler, we are looking into it. We will update the issue once we have something.
Thank you so much!
Hi @brandontyler, we have release 1.2.3 on GitHub as well as Maven for the parser-library which has the packages upgraded. Please check if it fixes the issues.
Thank you so much for working on this I'll update and test
Sure, closing this issue for now. Feel free to reopen it in case of any further questions
@niyatim23 can you reopen and have a look at:
Or maybe I should go ahead and bother the amazon kinesis client guys? ;-)
Hi @BoyeMagnus, there was a recent release for amazon-kinesis-client in February after our release. The newest version of the amazon-kinesis-client would fix this. We'll work on updating this for the parser library and let you know once we have something
Hi @BoyeMagnus, the release 1.2.4 is available on GitHub as well as Maven. Please check if the update fixes your issue. Closing this issue for now. Feel free to reopen it in case of any further questions